1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/cast/cast_cert_validator.h"
7 #include <openssl/digest.h>
8 #include <openssl/evp.h>
9 #include <openssl/rsa.h>
10 #include <openssl/x509.h>
12 #include "base/logging.h"
13 #include "base/strings/string_number_conversions.h"
14 #include "base/strings/string_util.h"
15 #include "base/strings/stringprintf.h"
16 #include "crypto/openssl_util.h"
17 #include "crypto/scoped_openssl_types.h"
18 #include "extensions/browser/api/cast_channel/cast_auth_ica.h"
19 #include "net/cert/x509_certificate.h"
20 #include "net/cert/x509_util_openssl.h"
21 #include "net/ssl/scoped_openssl_types.h"
23 namespace extensions
{
25 namespace cast_crypto
{
28 class CertVerificationContextOpenSSL
: public CertVerificationContext
{
30 // Takes ownership of the passed-in x509 object
31 explicit CertVerificationContextOpenSSL(X509
* x509
) : x509_(x509
) {}
33 VerificationResult
VerifySignatureOverData(
34 const base::StringPiece
& signature
,
35 const base::StringPiece
& data
) const override
{
36 // Retrieve public key object.
37 crypto::ScopedEVP_PKEY
public_key(X509_get_pubkey(x509_
.get()));
39 return VerificationResult(
40 "Failed to extract device certificate public key.",
41 VerificationResult::ERROR_CERT_INVALID
);
43 // Make sure the key is RSA.
44 const int public_key_type
= EVP_PKEY_id(public_key
.get());
45 if (public_key_type
!= EVP_PKEY_RSA
) {
46 return VerificationResult(
47 std::string("Expected RSA key type for client certificate, got ") +
48 base::IntToString(public_key_type
) + " instead.",
49 VerificationResult::ERROR_CERT_INVALID
);
52 const crypto::ScopedEVP_MD_CTX
ctx(EVP_MD_CTX_create());
54 !EVP_DigestVerifyInit(ctx
.get(), NULL
, EVP_sha1(), NULL
,
56 !EVP_DigestVerifyUpdate(ctx
.get(), data
.data(), data
.size()) ||
57 !EVP_DigestVerifyFinal(
58 ctx
.get(), reinterpret_cast<const uint8_t*>(signature
.data()),
60 return VerificationResult("Signature verification failed.",
61 VerificationResult::ERROR_SIGNATURE_INVALID
);
63 return VerificationResult();
66 std::string
GetCommonName() const override
{
67 int common_name_length
= X509_NAME_get_text_by_NID(
68 x509_
->cert_info
->subject
, NID_commonName
, NULL
, 0);
69 if (common_name_length
< 0)
71 std::string common_name
;
72 common_name_length
= X509_NAME_get_text_by_NID(
73 x509_
->cert_info
->subject
, NID_commonName
,
74 WriteInto(&common_name
, static_cast<size_t>(common_name_length
) + 1),
75 common_name_length
+ 1);
76 if (common_name_length
< 0)
82 net::ScopedX509 x509_
;
87 VerificationResult
VerifyDeviceCert(
88 const base::StringPiece
& device_cert
,
89 const std::vector
<std::string
>& ica_certs
,
90 scoped_ptr
<CertVerificationContext
>* context
) {
91 crypto::EnsureOpenSSLInit();
92 crypto::OpenSSLErrStackTracer
err_tracer(FROM_HERE
);
94 // If the list of intermediates is empty then use kPublicKeyICA1 as
95 // the trusted CA (legacy case).
96 // Otherwise, use the first intermediate in the list as long as it
97 // is in the allowed list of intermediates.
98 base::StringPiece ica_public_key_der
=
99 (ica_certs
.size() == 0)
100 ? cast_channel::GetDefaultTrustedICAPublicKey()
101 : cast_channel::GetTrustedICAPublicKey(ica_certs
[0]);
103 if (ica_public_key_der
.empty()) {
104 return VerificationResult(
105 "Device certificate is not signed by a trusted CA",
106 VerificationResult::ERROR_CERT_UNTRUSTED
);
108 // Initialize the ICA public key.
109 const uint8_t* ica_public_key_der_ptr
=
110 reinterpret_cast<const uint8_t*>(ica_public_key_der
.data());
111 const uint8_t* ica_public_key_der_end
=
112 ica_public_key_der_ptr
+ ica_public_key_der
.size();
113 crypto::ScopedRSA
ica_public_key_rsa(d2i_RSAPublicKey(
114 NULL
, &ica_public_key_der_ptr
, ica_public_key_der
.size()));
115 if (!ica_public_key_rsa
|| ica_public_key_der_ptr
!= ica_public_key_der_end
) {
116 return VerificationResult("Failed to import trusted public key.",
117 VerificationResult::ERROR_INTERNAL
);
119 crypto::ScopedEVP_PKEY
ica_public_key_evp(EVP_PKEY_new());
120 if (!ica_public_key_evp
||
121 !EVP_PKEY_set1_RSA(ica_public_key_evp
.get(), ica_public_key_rsa
.get())) {
122 return VerificationResult("Failed to import trusted public key.",
123 VerificationResult::ERROR_INTERNAL
);
125 // Parse the device certificate.
126 const uint8_t* device_cert_der_ptr
=
127 reinterpret_cast<const uint8_t*>(device_cert
.data());
128 const uint8_t* device_cert_der_end
= device_cert_der_ptr
+ device_cert
.size();
129 net::ScopedX509
device_cert_x509(
130 d2i_X509(NULL
, &device_cert_der_ptr
, device_cert
.size()));
131 if (!device_cert_x509
|| device_cert_der_ptr
!= device_cert_der_end
) {
132 return VerificationResult("Failed to parse device certificate.",
133 VerificationResult::ERROR_CERT_INVALID
);
135 // Verify device certificate.
136 if (X509_verify(device_cert_x509
.get(), ica_public_key_evp
.get()) != 1) {
137 return VerificationResult(
138 "Device certificate signature verification failed.",
139 VerificationResult::ERROR_CERT_INVALID
);
143 scoped_ptr
<CertVerificationContext
> tmp_context(
144 new CertVerificationContextOpenSSL(device_cert_x509
.release()));
145 tmp_context
.swap(*context
);
148 return VerificationResult();
151 std::string
VerificationResult::GetLogString() const {
152 return error_message
;
155 } // namespace cast_crypto
156 } // namespace core_api
157 } // namespace extensions
